- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Response actions history
editResponse actions history
editElastic Security keeps a log of the response actions performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action’s current status.
Requirement
You must have the appropriate user role to use this feature.
To access the response actions history for all endpoints, find Response actions history in the navigation menu or use the global search field. You can also access the response actions history for an individual endpoint from these areas:
- Endpoints page: Click an endpoint’s name to open the details flyout, then click the Response actions history tab.
- Response console page: Click the Response actions history button.
All of these contexts contain the same information and features. The following image shows the Response actions history page for all endpoints:
To filter and expand the information in the response actions history:
- Enter a user name or comma-separated list of user names in the search field to display actions requested by those users.
-
Use the various drop-down menus to filter the actions shown:
- Hosts: Show actions performed on specific endpoints. (This menu is only available on the Response actions history page for all endpoints.)
- Actions: Show specific actions types.
- Statuses: Show actions with a specific status.
- Types: Show actions based on the endpoint protection agent type (Elastic Defend or a third-party agent), and how the action was triggered (manually by a user or automatically by a detection rule).
- Use the date and time picker to display actions within a specific time range.
- Click the expand arrow on the right to display more details about an action.